CVE-2025-48887

vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file `vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py` of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple nested quantifiers, optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Version 0.9.0 contains a patch for the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/vllm-project/vllm/commit/4fc1bf813ad80172c1db31264beaef7d93fe0601
https://github.com/vllm-project/vllm/pull/18454
https://github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25
https://github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25

Configurations

No configuration.

History

30 May 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-30 18:15

Updated : 2025-06-02 17:32

NVD link : CVE-2025-48887

Mitre link : CVE-2025-48887

CVE.ORG link : CVE-2025-48887

JSON object : View

Products Affected

No product.

CWE

CWE-1333

Inefficient Regular Expression Complexity

6.5 /10